Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Chapter 17: WEB COMPONENTS
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
Secure Socket Layer.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Attacking Session Management Juliette Lessing
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
Creating a Single Sign On Account. To create a Single Sign On ID please visit and select the option to create a new account.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
Session 11: Security with ASP.NET
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Feedback #2 (under assignments) Lecture Code:
Report task. Security risks such as hacking, viruses and id theft Security prevention such as Firewalls, SSL and general security standards The laws which.
Web Application Security Presented by Ben Lake. How the Web Works Hypertext Transfer Protocol (HTTP)  Application-level  Stateless Example  Web Browser.
Types of Electronic Infection
Chapter 21 Distributed System Security Copyright © 2008.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Cross-site request forgery Collin Jackson CS 142 Winter 2009.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
Analysis of SIP security Ashwini Sanap ( ) Deepti Agashe ( )
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
ENCRYPTION, SSL, CERTIFICATES RACHEL AKISADA & MELANIE KINGSLEY.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.
Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.
TOPIC: HTTPS (Security protocol)
Setting and Upload Products
ComputerScience Security and Privacy Concerns of Starbucks.com
Secure Sockets Layer (SSL)
How to Check if a site's connection is secure ?
Using SSL – Secure Socket Layer
Man-in-the-Middle Attacks
Active Man in the Middle Attacks
Designing IIS Security (IIS – Internet Information Service)
Wireless Spoofing Attacks on Mobile Devices
Q/ Compare between HTTP & HTTPS? HTTP HTTPS
Presentation transcript:

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me

Introduction Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL) as many will know it, are cryptographic protocols used to offer communication security over the Internet. Hypertext Transfer Protocol Secure (HTTPS) is not actually a protocol in and of itself. It is actually the use of Hypertext Transfer Protocol (HTTP) on top of TLS which affords the standard HTTP communications protocol the protection of TLS. Session Hijacking (a.k.a. Session Sidejacking) is a form of Man In The Middle (MITM) attack in which a malicious attacker has access to the transport layer and can eavesdrop on communications. When communications are not protected they can steal the unique session ID and impersonate the victim on the target site. This grants the attacker access to your account and data.

Why do we use TLS? To verify the website you are connecting to is the genuine website. To ensure the privacy of your data during transit. To ensure the integrity of your data during transit.

Example When first visiting the site you are using HTTP. The sensitive login form is loaded over HTTPS.

Example The login form is loaded over HTTPS to ensure the integrity of the form in transit. This prevents a man in the middle from altering the form. The login form then submits the user credentials over HTTPS to ensure the same man in the middles can’t read the credentials in transit. The TLS certificate also allows us to be confident that the website we are viewing is actually the website it claims to be. The fact that TLS has been utilised is an acknowledgement that a man in the middle could access or modify data during transit.

Example The problem arises when the site reverts back to loading content over HTTP once the user has authenticated. The assumption is that now the sensitive user credentials have been exchanged we no longer need to protect the traffic during transit.

Why does this matter? HTTP and HTTPS are stateless protocols. This means each time you request some new content from the site (a page, image or any form of media) the server does not know who you are, it does not remember you. To combat this, when you first visit a site you are issued a unique session ID. With each request you send to the site, your session ID is sent with it. This is how the site identifies you. Once you have logged in on the secure login page, your session ID lets the server remember you have logged in without having to keep sending your username and password to prove your identity. Once the website reverts back to HTTP your session ID still has to be sent but is no longer afforded the protection offered by TLS.

Summary TLS (HTTPS) was used to protect your username and password during the logon process to prevent a man in the middle viewing the content of your traffic and stealing your credentials. The session ID is not being afforded the same level of protection but an attacker could use it to impersonate you on the target website. All they need to do is substitute their own session ID with your session ID and the server will believe the attacker is you. Once your session ID has been obtained this is a trivial task. The attacker is then logged in to your account and can do anything that you could do.

Conclusion Whilst obtaining your session ID does not generally reveal your username or password the attacker can still access your account as if they were logged in as you. This attack is possible because TLS is not used across the entire site. We accept an attacker could access our traffic, which is why we need TLS in the first instance. Sites regularly fail to protect the session ID which can be considered an equivalent to your user credentials on the target website. Forcing all traffic to the site over HTTPS would completely mitigate a session hijacking attack.

Thanks You can find more info covering this and other forms of attack on my blog: http://scotthel.me Please feel free to share this information generously but do provide attribution back to my site. This work is licensed under the Creative Commons Attribution 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.